documentation.suse.com / Documentação do SUSE Linux Enterprise Server / Administration Guide / Common tasks / sudo basics
Applies to SUSE Linux Enterprise Server 15 SP4

2 sudo basics

 

Running certain commands requires root privileges. However, for security reasons and to avoid mistakes, it is not recommended to log in as root. A safer approach is to log in as a regular user, and then use sudo to run commands with elevated privileges.

On SUSE Linux Enterprise Server, sudo is configured to work similarly to su. However, sudo provides a flexible mechanism that allows users to run commands with privileges of any other user. This can be used to assign roles with specific privileges to certain users and groups. For example, it is possible to allow members of the group users to run a command with the privileges of user wilber. Access to the command can be further restricted by disallowing any command options. While su always requires the root password for authentication with PAM, sudo can be configured to authenticate with your own credentials. This means that the users do not need to share the root password, which improves security.

2.1 Basic sudo usage

 

The following chapter provides an introduction to basic usage of sudo.

2.1.1 Running a single command

 

As a regular user, you can run any command as root by adding sudo before it. This prompts you to provide the root password. If authenticated successfully, this runs the command as root: 

> id -un1
tux
> sudo id -un
root's password:2
root
> id -un
tux3
> sudo id -un
4
root

1

The id -un command prints the login name of the current user.

2

The password is not shown during input, neither as clear text nor as masking characters.

3

Only commands that start with sudo run with elevated privileges.

4

The elevated privileges persist for a certain period of time, so you do not need to provide the root password again.

Tip
Tip: I/O redirection

When using sudo, I/O redirection does not work: 

> sudo echo s > /proc/sysrq-trigger
bash: /proc/sysrq-trigger: Permission denied
> sudo cat < /proc/1/maps
bash: /proc/1/maps: Permission denied

In the example above, only the echo and cat commands run with elevated privileges. The redirection is done by the user's shell with user privileges. To perform redirection with elevated privileges, either start a shell as in Section 2.1.2, “Starting a shell” or use the dd utility: 

echo s | sudo dd of=/proc/sysrq-trigger
sudo dd if=/proc/1/maps | cat

2.1.2 Starting a shell

 

Using sudo every time to run a command with elevated privileges is not always practical. While you can use the sudo bash command, it is recommended to use one of the built-in mechanisms to start a shell:

sudo -s (<command>)

Starts a shell specified by the SHELL environment variable or the target user's default shell. If a command is specified, it is passed to the shell (with the -c option). Otherwise the shell runs in interactive mode. 

tux:~ > sudo -s
root's password:
root:/home/tux # exit
tux:~ >
sudo -i (<command>)

Similar to -s, but starts the shell as a login shell. This means that the shell's start-up files (.profile etc.) are processed, and the current working directory is set to the target user's home directory. 

tux:~ > sudo -i
root's password:
root:~ # exit
tux:~ >
Tip
Tip: Environment variables

By default, sudo does not propagate environment variables. This behavior can be changed using the env_reset option (see Useful flags and options).

2.2 Configuring sudo

 

sudo provides a wide range on configurable options.

Note
Note: Locked yourself out of sudo

If you accidentally locked yourself out of sudo, use su - and the root password to start a root shell. To fix the error, run visudo.

2.2.1 Editing the configuration files

 

The main policy configuration file for sudo is /etc/sudoers. As it is possible to lock yourself out of the system if the file is malformed, it is strongly recommended to use visudo for editing. It prevents editing conflicts and checks for syntax errors before saving the modifications.

You can use another editor instead of vi by setting the EDITOR environment variable, for example: 

sudo EDITOR=/usr/bin/nano visudo

Keep in mind that the /etc/sudoers file is supplied by the system packages, and modifications done directly in the file may break updates. Therefore, it is recommended to put custom configuration into files in the /etc/sudoers.d/ directory. Use the following command to create or edit a file: 

sudo visudo -f /etc/sudoers.d/NAME

The command bellow opens the file using a different editor (in this case, nano): 

sudo EDITOR=/usr/bin/nano visudo -f /etc/sudoers.d/NAME
Note
Note: Ignored files in /etc/sudoers.d

The #includedir directive in /etc/sudoers ignores files that end with the ~ (tilde) character or contain the . (dot) character.

For more information on the visudo command, run man 8 visudo.

2.2.2 Basic sudoers configuration syntax

 

The sudoers configuration files contain two types of options: strings and flags. While strings can contain any value, flags can be turned either ON or OFF. The most important syntax constructs for sudoers configuration files are as follows: 

# Everything on a line after # is ignored 1
Defaults !insults # Disable the insults flag 2
Defaults env_keep += "DISPLAY HOME" # Add DISPLAY and HOME to env_keep
tux ALL = NOPASSWD: /usr/bin/frobnicate, PASSWD: /usr/bin/journalctl 3

1

There are two exceptions: #include and #includedir are regular commands.

2

Remove the ! character to set the desired flag to ON.

3

See Section 2.2.3, “Basic sudoers rules”.

Useful flags and options
 
targetpw

This flag controls whether the invoking user is required to enter the password of the target user (ON) (for example root) or the invoking user (OFF). 

Defaults targetpw # Turn targetpw flag ON
rootpw

If set, sudo prompts for the root password. The default is OFF. 

Defaults !rootpw # Turn rootpw flag OFF
env_reset

If set, sudo constructs a minimal environment with TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME, and SUDO_*. Additionally, variables listed in env_keep are imported from the calling environment. The default is ON. 

Defaults env_reset # Turn env_reset flag ON
env_keep

List of environment variables to keep when the env_reset flag is ON. 

# Set env_keep to contain EDITOR and PROMPT
Defaults env_keep = "EDITOR PROMPT"
Defaults env_keep += "JRE_HOME" # Add JRE_HOME
Defaults env_keep -= "JRE_HOME" # Remove JRE_HOME
env_delete

List of environment variables to remove when the env_reset flag is OFF. 

# Set env_delete to contain EDITOR and PROMPT
Defaults env_delete = "EDITOR PROMPT"
Defaults env_delete += "JRE_HOME" # Add JRE_HOME
Defaults env_delete -= "JRE_HOME" # Remove JRE_HOME

The Defaults token can also be used to create aliases for a collection of users, hosts, and commands. Furthermore, it is possible to apply an option only to a specific set of users.

For detailed information about the /etc/sudoers configuration file, consult man 5 sudoers.

2.2.3 Basic sudoers rules

 

Each rule follows the following scheme ([] marks optional parts): 

#Who      Where         As whom      Tag                What
User_List Host_List = [(User_List)] [NOPASSWD:|PASSWD:] Cmnd_List
sudoers rule syntax
 
User_List

One or several (separated by comma) identifiers: either a user name, a group in the format %GROUPNAME, or a user ID in the format #UID. Negation can be specified with the ! prefix.

Host_List

One or several (separated by comma) identifiers: either a (fully qualified) host name or an IP address. Negation can be specified with the ! prefix. ALL is a common choice for Host_List.

NOPASSWD:|PASSWD:

The user is not prompted for a password when running commands matching Cmd_List after NOPASSWD:.

PASSWD is the default. It only needs to be specified when both PASSWD and NOPASSWD are on the same line: 

tux ALL = PASSWD: /usr/bin/foo, NOPASSWD: /usr/bin/bar
Cmnd_List

One or several (separated by comma) specifiers: A path to an executable, followed by an optional allowed argument. 

/usr/bin/foo     # Anything allowed
/usr/bin/foo bar # Only "/usr/bin/foo bar" allowed
/usr/bin/foo ""  # No arguments allowed

ALL can be used as User_List, Host_List, and Cmnd_List.

A rule that allows tux to run all commands as root without entering a password: 

tux ALL = NOPASSWD: ALL

A rule that allows tux to run systemctl restart apache2: 

tux ALL = /usr/bin/systemctl restart apache2

A rule that allows tux to run wall as admin with no arguments: 

tux ALL = (admin) /usr/bin/wall ""
Warning
Warning: Unsafe rules

Do not use rules like ALL ALL = ALL without Defaults targetpw. Otherwise anyone can run commands as root.

Important
Important: Winbind and sudo

When specifying the group name in the sudoers file, make sure that you use the NetBIOS domain name instead of the realm, for example: 

%DOMAIN\\GROUP_NAME ALL = (ALL) ALL

Keep in mind that when using winbindd, the format also depends on the winbind separator option in the smb.conf file. By default, it is \. If it is changed, for example, to +, then the account format in the sudoers file must be DOMAIN+GROUP_NAME.

2.3 sudo use cases

 

While the default configuration works for standard usage scenarios, you can customize the default configuration to meet your specific needs.

2.3.1 Using sudo without root password

 

By design, members of the group wheel can run all commands with sudo as root. The following procedure explains how to add a user account to the wheel group.

  1. Verify that the wheel group exists: 

    > getent group wheel

    If the previous command returned no result, install the system-group-wheel package that creates the wheel group: 

    > sudo zypper install system-group-wheel

  2. Add your user account to the group wheel.

    If your user account is not already a member of the wheel group, add it using the sudo usermod -a -G wheel USERNAME command. Log out and log in again to enable the change. Verify that the change was successful by running the groups USERNAME command.

  3. Authenticate with the user account's normal password.

    Create the file /etc/sudoers.d/userpw using the visudo command (see Section 2.2.1, “Editing the configuration files”) and add the following: 

    Defaults !targetpw

  4. Select a new default rule.

    Depending on whether you want users to re-enter their passwords, uncomment the appropriate line in /etc/sudoers and comment out the default rule. 

    ## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL) ALL

## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL

  5. Make the default rule more restrictive.

    Comment out or remove the allow-everything rule in /etc/sudoers: 

    ALL     ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!
    Warning
    Warning: Dangerous rule in sudoers

    Do not skip this step. Otherwise any user can execute any command as root!

  6. Test the configuration.

    Run sudo as member and non-member of wheel. 

    tux:~ > groups
users wheel
tux:~ > sudo id -un
tux's password:
root
wilber:~ > groups
users
wilber:~ > sudo id -un
wilber is not in the sudoers file.  This incident will be reported.

2.3.2 Using sudo with X.Org applications

 

Starting graphical applications with sudo usually results in the following error: 

> sudo xterm
xterm: Xt error: Can't open display: %s
xterm: DISPLAY is not set

A simple workaround is to use xhost to temporarily allow the root user to access the local user's X session. This is done using the following command: 

xhost si:localuser:root

The command below removes the granted access: 

xhost -si:localuser:root
Warning
Warning: Potential security issue

Running graphical applications with root privileges has security implications. It is recommended to enable root access for a graphical application only as an exception. It is also recommended to revoke the granted root access as soon as the graphical application is closed.

2.4 More information

 

The sudo --help command offers a brief overview of the available command line options, while the man sudoers command provides detailed information about sudoers and its configuration.